What Is SSL/TLS? | NOC.org

Understanding SSL and TLS

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are cryptographic protocols that encrypt communications between two parties over a network. Although the term "SSL" is still widely used in everyday conversation, SSL itself has been deprecated since 2015. What people refer to as "SSL" today is almost always TLS — specifically TLS 1.2 or TLS 1.3.

TLS is the protocol that makes HTTPS possible. When you see the padlock icon in your browser's address bar, your connection is secured by TLS. The protocol provides three guarantees: encryption (data cannot be read by third parties), authentication (the server is who it claims to be), and integrity (data has not been tampered with in transit).

SSL History and Deprecation

SSL was originally developed by Netscape in the mid-1990s. The protocol went through three versions:

• SSL 1.0: Never publicly released due to serious security flaws.
• SSL 2.0 (1995): Released publicly but quickly found to have critical vulnerabilities, including susceptibility to man-in-the-middle attacks.
• SSL 3.0 (1996): A complete redesign that addressed SSL 2.0's weaknesses. It was widely used for nearly two decades but was ultimately broken by the POODLE attack in 2014.

After SSL 3.0 was compromised, the IETF formally deprecated all versions of SSL. The industry had already been transitioning to TLS, which was first released in 1999 as an upgrade to SSL 3.0.

TLS Versions

TLS has evolved through four versions, with each iteration improving security and performance:

• TLS 1.0 (1999): The first TLS version, functionally similar to SSL 3.0 with incremental security improvements. Deprecated in 2020 by RFC 8996.
• TLS 1.1 (2006): Added protections against cipher block chaining (CBC) attacks. Also deprecated in 2020.
• TLS 1.2 (2008): Introduced support for modern cipher suites, including AES-GCM and SHA-256. Still widely supported and considered secure when configured properly.
• TLS 1.3 (2018): A major overhaul that removed legacy features, reduced the handshake to a single round trip, and mandates forward secrecy. TLS 1.3 is the current standard and should be the target for all deployments.

The TLS Handshake

The TLS handshake is the process by which a client and server establish an encrypted connection. In TLS 1.3, the handshake is streamlined to a single round trip:

• The client sends a "Client Hello" message with its supported cipher suites and key share.
• The server responds with a "Server Hello," its chosen cipher suite, key share, and its digital certificate.
• The client verifies the server's certificate against trusted Certificate Authorities.
• Both parties derive symmetric encryption keys from the shared key material.
• Encrypted communication begins immediately.

TLS 1.3 also supports 0-RTT (zero round trip time) resumption, where a client that has previously connected to a server can send encrypted data in the very first message, eliminating handshake latency for repeat connections.

TLS Certificates

A TLS certificate (commonly called an "SSL certificate") is a digital document that binds a domain name to a public key. Certificates are issued by Certificate Authorities (CAs) after verifying that the applicant controls the domain. There are three validation levels:

• Domain Validation (DV): Confirms domain ownership only. Issued in minutes, often for free (e.g., Let's Encrypt).
• Organization Validation (OV): Confirms domain ownership and verifies the organization's legal identity.
• Extended Validation (EV): The most thorough verification, including legal, physical, and operational checks on the organization.

Why TLS Matters

TLS is the foundation of secure communication on the Internet. Without it, login credentials, payment data, and personal information would be exposed to anyone on the network path. Beyond security, TLS is required for HTTP/2 and HTTP/3 performance optimizations, HSTS enforcement, and maintaining the trust signals (padlock icon, no browser warnings) that users expect.

Deploying TLS correctly means using TLS 1.2 or 1.3, configuring strong cipher suites, implementing security headers, and pairing your certificate with a CDN that terminates TLS at the edge for both performance and security.